Netsec whack-a-mole

Another exploit found in latest Java security patch

Elliot Bentley

Friday’s emergency update can still be bypassed, and Oracle’s reaction doesn’t inspire confidence.

At the back end of last week, Oracle finally caved to days of increasingly negative press over the security holes in Java SE, releasing an emergency patch intended to fix all outstanding issues. While hardly making up for months of ignoring security researchers’ warnings, it at least silenced critics (like us) worrying that it would be neglected until the next security update, scheduled for October.

Unfortunately, it appears that even this hasn’t been enough. Adam Gowdiak of Security Explorations, who last week revealed that Oracle had failed to act on known exploits since April, delivered another blow to the company by revealing on the Bugtraq mailing list that “not all security issues that were reported in Apr 2012 got addressed by the recent Java update”.

Today we sent a security vulnerability report along with a Proof of Concept code to Oracle. The code successfully demonstrates a complete JVM sandbox bypass in the environment of a latest Java SE software (version 7 Update 7 released on Aug 30, 2012). The reason for it is a new security issue discovered, that made exploitation of some of our not yet addressed bugs possible to exploit again.

So, if Gowdiak’s accusations are legitimate, it appears Java is still insecure. Which is bad enough by itself – but made yet worse by Oracle’s failure to acknowledge it.

Over on Ars Technica, Dan Goodin reports that the company responded to a request for comment by directing him to Thursday’s security advisory, which was published before this latest news broke (update: we recieved the same response). Meanwhile, in the post’s comments thread, readers argued over whether uninstalling Java was a necessary protective measure.

So a week on, what has been achieved? Very little, it seems: Oracle are still failing to engage with (understandably) worried users, and browsing with Java installed is still potentially insecure. But this time the situation is even worse, since convincing your average user to download two updates within such a short space of time will be a considerable challenge.

From our point of view, there are two measures Oracle needs to take: bake an auto-updating security mechanism into Java, with updates at least once a week; and just as importantly, be honest and transparent about these issues – before the negative press spills outside of the tech community bubble.

Inline Feedbacks
View all comments